Web Application

Security
for Beginners - Part 1
adzmely mansor
adzmely@gmail.com

Web Application Security

some stats

Web Application Security

Web Application has become the #1 target
71% of attacks target the Application Layer (Gartner)
Most Web Applications are Vulnerable
95% of Web Applications have some sort of vulnerability
(Imperva)
78% of easily exploitable weaknesses occur in Web
Applications (Symantec)

Internet Security Threat Report

Symantec 2011

4,595 Web Attacks blocked per day in 2011

1,100,000 identities exposed per breach
Targets are 50% big businesses and 50% small to medium
403,000,000 unique variants of Malware
55,294 malicious web domains
One in every 239 emails contains a virus

Top 5 Most Infected Websites

Symantec 2011

Blogs and Web Communication

Hosting/Personal Hosting Sites
Business/Economy
Shopping
Education & Reference

Website Attackers by Country

Incapsula August 2012

MindSet

Mindset
different people see things differently

Security Mindset
security requires a particular mindset:
they see the world differently:
a thief (a security oriented profession)
they cant walk into a store without noticing and
counting how many CCTV installed and towards
what directions. any possible blind spot?

engineers/programmers
thinking about how things can be made to work

security engineers
thinking about how things can be made to fail

security engineers
thinking like an attacker or criminal
if you dont see the world that way
you will never notice most security problems

many security challenges require a vast

understanding of both the security and
the programming concepts behind them
being a programmer will give you some advantages

HTTP Protocol
the fundamental

why bother?
facilitates debugging
improves understanding of
security

HTTP Protocol
application layer (TCP/IP)
client - server
set of rules on how data is
transmitted

HTTP Protocol
Client
Browser

Internet
Proxy

Server:

example.com

LB/Cache

Web

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

example.com

browser cache/hosts file/DNS

Server:

example.com

LB/Cache

Web

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

example.com

93.184.216.119
browser cache/hosts file/DNS

Server:

example.com

LB/Cache

Web

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

example.com

93.184.216.119
browser cache/hosts file/DNS

Server:

example.com

LB/Cache

Web

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

Server:

example.com

LB/Cache

Web

TCP/IP

  connection
3

  way

  handshake

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

Server:

example.com

LB/Cache

Web

TCP/IP

  connection
3

  way

  handshake

SYN

u

  there

  bro?

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

Server:

example.com

LB/Cache

Web

TCP/IP

  connection
3

  way

  handshake

SYN

u

  there

  bro?
Yup!!!

 

SYN-ACK

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

Server:

example.com

LB/Cache

Web

TCP/IP

  connection
3

  way

  handshake

SYN

u

  there

  bro?
Yup!!!

 

ACK

SYN-ACK
cool!!!

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

HTTP

  Protocol

Server:

example.com

LB/Cache

Web

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

HTTP

  Protocol
GET /

Server:

example.com

LB/Cache

Web

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

HTTP

  Protocol
GET /
200 OK
index.html content

Server:

example.com

LB/Cache

Web

DB/Storage

HTTP Protocol
Client
Browser

Internet

Server:

example.com

LB/Cache

Web

Proxy

HTTP

  Protocol
$ telnet vps 80
Trying 188.241.112.26...
Connected to webfirewall.xjutsu.com.
Escape character is '^]'.
GET / http/1.1
Host: vps
HTTP/1.1 200 OK
Date: Mon, 07 Oct 2013 15:17:05 GMT
Server: Apache/2.2.16 (Ubuntu)
Last-Modified: Fri, 04 Oct 2013 01:23:15 GMT
ETag: "71d88de-0-4e7e02584e6c0"
Accept-Ranges: bytes
Content-Length: 0
Vary: Accept-Encoding
Cache-Control: max-age=10800
Content-Type: text/html

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

HTTP

  Protocol
GET /
200 OK
index.html content
GET /images/banner.jpg
200 OK

Server:

example.com

LB/Cache

Web

DB/Storage

HTTP Protocol
Client
Browser

Internet
Proxy

Server:

example.com

LB/Cache

Web

TCP/IP

  connection
FIN

bye,

  im

  done!

Sayonara!!!

 

FIN-ACK

DB/Storage

HTTP Protocol
Client

HTTP Request

HTTP Response

Server

HTTP Protocol
Client

Server

HTTP Request

Request Line

GET /index.html HTTP/1.1

Host: www.example.com

Optional
Content

request method
requested resource
HTTP version used

Request Header

general headers
request headers
entity headers

HTTP Protocol
Client

Server
HTTP Response

HTTP/1.1 200 OK
Date: Mon, 23 May 2005 22:38:34 GMT
Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)
Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
Etag: "3f80f-1b6-3e1cb03b"
Content-Type: text/html; charset=UTF-8
Content-Length: 131
Connection: close
<html> ....

HTTP Protocol: HTTP Response

HTTP/1.1 200 OK
Date: Mon, 23 May 2005 22:38:34 GMT
Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)
e
Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
n
i
L
s
Etag: "3f80f-1b6-3e1cb03b"
u
t
a
t
on
i
S
s
r
Content-Type: text/html; charset=UTF-8
Ve
P
T
HT us Co de tion
Content-Length: 131
rip
tat
c
S
s
e

D
s
Connection: close
u
t
ta
S

<html> ....

Optional
Content

Headers

general headers
response headers
entity headers

HTTP Protocol
Stateless Protocol
each request independent transaction
unrelated to any previous request
to overcome this issue at application level
cookies are used

HTTP Protocol
Cookies
are text files stored by client browser
maintain session by storing information
are non executable

RFC 2616
RFC 2965
HTTP Protocol
&
Handling Statelessness

Exercise

explain 3 way handshake and how it works?

SYN Flood Attack

SYN Flood
Attack
SYN Flood. The attacker sends several
packets but does not send the "ACK"
back to the server. The connections
are hence half-opened and consuming
server resources.

SYN Flood
Mitigation
RFC 4987: TCP SYN Flooding Attacks
and Mitigations

SYN Flood Attack

http://www.digitalattackmap.com
http://www.arbornetworks.com/threats

HTTP Header
attack vector

HTTP Host
Header Attack
under certain condition it is
possible, because of mistake
by developers trusting client
side HTTP headers

~$ telnet attack.com
GET / HTTP/1.1
Host: evil.com

HTTP Host Header Attack

using HTTP Host header blindly

HTTP Host Header Attack

Only possible if attacked page/server using caching
mechanism
not easy as the attacked page showing cache page
send malicious HTTP Host header in some duration of
time (infinitely?)
until cache timeout, newly page generated with possibly
injected malicious Host?

HTTP Host Header Attack

Real example (a true story):
a friend developing SaaS application, currently providing
service to the world
after some consent - agreed to do some simple test
possibility of having vulnerable code
HTTP Host mostly used by SaaS application to
dynamically load custom pages according to domain/url

HTTP Host Header Attack

Real example (a true story): FIRST simple test (using curl)
~$ curl -H "Host: evil" http://ww3.linktrackr.com
<br />
<b>Notice</b>: Undefined offset: 1 in <b>/var/www/
linktrackr/public_html/index.php</b> on line <b>23</
b><br />
~$

N
not FQD

HTTP Host Header Attack

Real example (a true story): FIRST simple test (using curl)
~$ curl -H "Host: evil" http://ww3.linktrackr.com
<br />
<b>Notice</b>: Undefined offset: 1 in <b>/var/www/
linktrackr/public_html/index.php</b> on line <b>23</
b><br />
~$

tice
o
n
/
r
o
r
path)
r
t
e
o
p
o
h
r
p
t
umen
c
pecte d
o
x
e
d
(
n
u
e

losur
c
s
i
d
n
r matio
o
f
n
i

HTTP Host Header Attack

Real example (a true story): the (dangerous) PHP code

ce,
i
t
o
n
/
r
o
hp er r
p
d
e
t
c
e
POST
_
P
T
T
H
unexp
t) in
o
d
(
.

g
expectin
sent
e
n
o
n
t
bu
ent
r
e
f
f
i
d
f in e
e
d
o
t
T
_HOS
P
T
T
H
g
usin
ge
ro ute/pa

HTTP Host Header Attack

In one of famous locally developed PHP framework:
app/protected/config/common.conf.php:
$config['APP_URL'] = 'http://'.$_SERVER['HTTP_HOST'].$config['SUBFOLDER'];

yet, it is not easy in this case:

possible with local/server cache

Exercise:
http://188.241.117.154/__wslab__/wcp/

HTTP Authentication

Basic - Authentication

Basic - Authentication
use combination of username and password to authenticate
user
start with GET request without any authentication
credentials
server respond with 401 Authorization Required
browser pop-up requesting for credentials
browser sent requested resource with Authorization line

Basic - Authentication
using BURPSuite to intercept :
possible to have control of traffic that is exchanged
between a web browser and a web servers
manipulate data before it is sent
help to map/monitor data exchanged between browser
and web server in order to find possible vulnerabilities

Basic - Authentication
initial GET request:

Basic - Authentication
server respond with HTTP/1.1 401 Authorization Required

Basic - Authentication
browser pop-up requesting for credentials, and after submit:

Basic - Authentication
browser pop-up requesting for credentials, and after submit:
GET /__wslab__/auth/ HTTP/1.1
Host: 188.241.117.154
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Basic YWRtaW46cEBzc3cwcmQ=

Basic - Authentication
browser pop-up requesting for credentials, and after submit:
GET /__wslab__/auth/ HTTP/1.1
Host: 188.241.117.154
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Basic YWRtaW46cEBzc3cwcmQ=

Base 64

~$ echo "YWRtaW46cEBzc3cwcmQ=" | base64 -d

admin:p@ssw0rd
~$

Basic - Authentication
data/credentials being passed over plain text
solution Basic Auth over SSL/HTTPS
data sent in encrypted format
value of Authorization will not be visible
however still vulnerable to client side attack - MiTM
vulnerable via brute - force attack

Digest Authentication

Digest Authentication
improvement over Basic - Authentication
data is not passed over cleartext but in encrypted format

Digest Authentication
improvement over Basic - Authentication
originally specified by RFC2069

later replaced by RFC2617

Authentications
Exercise: by using your browser pointing to burp-suite as a
http proxy, open following sites:
basic: http://188.241.117.154/__wslab__/auth
digest: http://188.241.117.154/__wslab__/authd

Session/Cookie
Hijacking

Session Hijacking
HTTP is stateless protocol
session/cookies used to maintain a session
exploitation of valid web application session to gain
unauthorized access
session fixation
session sidejacking

Broken Session Management

Session Management Flaws
session ID is just a good as credentials to an attacker
session ID is typically exposed on the network, in
browser, in logs ...
Typical Impact
User accounts compromised or user sessions hijacked

Session Fixation
session fixation
sending a malicious crafter link that contains a particular
session id
http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID

victim user clicked the link sent and login

attacker use same link with the same fixed session to
gain access

Session Fixation
cross-subdomain cooking
a sub domain been compromised - news.example.com
visiting news.example.com set session cookies with
*.example.com to victim browser
when the victim visit www.example.com, and login, the
cookies previously set will be sent with the request

Session Fixation: Preventions

do not accept session identifiers from GET / POST variables
implement identity confirmation
new session id after successfully login
second level of authentication
store session identifier in HTTP cookies
using SSL/TLS session identifier

Session Sidejacking
when attacker uses packet sniffing to read network traffic to
steal session cookies
unsecured WiFi hotspots
unsecured Web Application
only use HTTPS during authentication
using HTTP for the rest of the site after authenticated

Session Sidejacking
several exploits tools:
Firesheep - mozilla extension, made easy for user of unencrypted public WiFi to be attacked by session hijackers
WhatsApp sniffer - able to display messages from other
WhatsApp users connected to same network
DroidSheep - listens to HTTP protocol sent via wireless and
extract session id from these HTTP packets

Session Sidejacking: Preventions

Encryptions of data traffic between both parties - SSL/TLS
Long session ID - eliminate possibility of guessing a valid
session key
regenerate session ID after successfully authenticated a user
secondary check/authentication of a valid user

Session Hijacking
Exercise: open http://demo.testfire.net
using burp-suite / firefox - firebug
study the HTTP headers - request/respond
login ID : sjoe/jsmith/cclay/sspeed
password : demo1234

Security
Misconfiguration

Security Misconfiguration
Web application rely on secure foundation
everywhere from the OS up through the App Server
including all the libraries/tools you are using
do you change all credentials regularly in production env?
do you remove all example comes together with tools you
are using?

Security Misconfiguration
Typical Impact
install backdoor through missing OS or server patch
XSS/SQL injection/etc flaws due to missing application
library/framework patches
Un-authorized access to defaults accounts or un-used but
accessible functionality due to poor installation related to
tools used or server configuration

Security Misconfiguration
Protection
verify systems configuration management
secure configuration hardening guideline
must cover entire platform and application
keep up with patches for all components
Deactivate unnecessary stuff

Missing Function Level

Action Control

Missing Funct Level Action Control

Common Mistakes:
Displaying only authorized links and menu choices
Attackers simply forges direct access to unauthorized
pages
Typical Impact
perform privileged actions
Access other users accounts and data

Missing Funct Level Action Control

Protection
Restrict access to authenticated users (if not public)
Enforce any user role based permissions (if private)
Completely disallow request to unauthorized page types:
config files
log files, etc

Missing Funct Level Action Control

Exercise
open: http://demo.testfire.net
Task 1: Forcefully browse your way into an
Administration area
Task 2: Log into that Admin area
Task 3: Download any confidential document